Create DNS records for Microsoft using Windows-based DNS

If you host your own DNS records using Windows-based DNS, follow the steps in this article to manually add the DNS records required for Microsoft 365 services such as email, Microsoft Teams, and device management. After you add these records in Windows based DNS, your domain is ready to work with Microsoft 365.

To get started, you need to find your DNS records in Windows-based DNS so you can update them. Also, if you're planning to synchronize your on-premises Active Directory with Microsoft, see Non-routable email address used as a UPN in your on-premises Active Directory.

Trouble with mail flow or other issues after adding DNS records, see Troubleshoot issues after changing your domain name or DNS records.

Note

When creating or updating DNS records, it typically takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a DNS record change to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see Find and fix issues after adding your domain or DNS records.

Find your DNS records in Windows-based DNS

To access DNS management for your domain in Windows Server, follow these steps:

Sign in to your Windows Server as an administrator.
Right-click Start, and then select Run.
In the Run dialog box, enter dnsmgmt.msc, and then select OK.
In the DNS Manager window, expand <DNS server name> > Forward Lookup Zones.
Select your domain. You're now ready to create the DNS records.

Add a TXT record for domain ownership verification

Before you can use your domain with Microsoft 365, you need to prove you own the domain. Your ability to create the DNS record on your Windows Server DNS server proves to Microsoft that you own the domain. This process involves creating a TXT record Windows Server DNS server with a specific value that Microsoft can look for. When Microsoft finds the record with the correct value, your domain is verified. The TXT record is used only to verify that you own your domain. It doesn't affect anything else and can be deleted once domain verification is complete.

Note

The procedures in this section assume that you started the process of adding a domain, but you didn't verify domain ownership yet.

To add the TXT record for domain verification on your Windows Server DNS server, follow these steps:

Get the TXT value specific for your domain from the Microsoft 365 admin center. For help on finding the value of your TXT record in the Microsoft 365 admin center, see Gather the information you need to create DNS records.
If not already open, open DNS Manager as described in Find your DNS records in Windows-based DNS.
In DNS Manager, go to the Action menu and then select Other New Records...
Under Select a resource record type: in the Resource Record Type window, select Text (TXT), and then select Create Record...
In the New Resource Record dialog box, enter the following values for the TXT record required for email:
- Record name: @
- Text: <Enter the TXT value from the Microsoft 365 admin center that you obtained in step 1 here>
Select OK.

Important

In some versions of Windows Server DNS Manager, the domain might be set up so that when you create a txt record, the home name defaults to the parent domain. In this situation, when adding a TXT record, set the host name to blank (no value) instead of setting it to @ or the domain name.

To verify the record in the Microsoft 365 admin center, follow these steps:

Sign in to the Microsoft 365 admin center.
From the left navigation bar, select ... Show all, and then select Settings to expand it.
Under Settings, select Domains.
In the Domains page, select the ellipsis ⋮ next to the domain that you're verifying, and then select Start setup.
In the Verify you own your domain page, make sure Add a TXT record to the domain's DNS records is selected, and then select Continue.
On the Add a record to verify domain ownership page, select Verify.
After you verify domain ownership, the How do you want to connect your domain? page appears. The rest of the wizard walks you through adding additional DNS records to connect your domain to Microsoft 365 services. For more information, see the following article or the following sections in this article:

Non-routable email address used as a UPN in your on-premises Active Directory

If you're planning to synchronize your on-premises Active Directory with Microsoft, make sure that the Active Directory user principal name (UPN) suffix is a valid domain suffix. Domain suffixes such as @contoso.local aren't supported. If you need to change your UPN suffix, see How to prepare a non-routable domain for directory synchronization.

Add MX record

To add an MX record so email for your domain comes to Microsoft, follow these steps:

Get the MX value specific for your domain from the Microsoft 365 admin center. For help on finding the value of your MX record in the Microsoft 365 admin center, see Gather the information you need to create DNS records.

The MX record looks like the following example:

<MX token>.mail.protection.outlook.com

Where <MX token> is a value like MSxxxxxxx.
If not already open, open DNS Manager as described in Find your DNS records in Windows-based DNS.
In DNS Manager, go to the Action menu and then select New Mail Exchanger (MX)...
In the New Resource Record dialog box, enter the following values:
- Host or child domain: <Leave this field blank>
- Fully qualified domain name (FQDN) of mail server: Enter the MX value as determined from the Microsoft 365 admin center.
- Preference: Enter the priority value for the MX record (normally 0 or 10).
Select OK.
Remove any previous MX records. If you have any old MX records for this domain that route email somewhere else, select the check box next to each old record, and then select Delete > OK.

Add CNAME records

To add the required CNAME records for your domain to work with Microsoft services, follow these steps:

If not already open, open DNS Manager as described in Find your DNS records in Windows-based DNS.
In DNS Manager, go to the Action menu and then select New Alias (CNAME)...
In the New Resource Record dialog box, enter the following values for the CNAME record required for email:
- Alias name: autodiscover
- Fully qualified domain name (FQDN) for target host: autodiscover.outlook.com
Select OK.
Repeat the steps to also add the following CNAME records required for Teams and Mobile Device Management (MDM)/Microsoft Intune:
- Teams:
  - Alias name: sip
  - Fully qualified domain name (FQDN) for target host: sipdir.online.lync.com
  - Alias name: lyncdiscover
  - Fully qualified domain name (FQDN) for target host: webdir.online.lync.com
- Mobile Device Management (MDM)/Microsoft Intune:
  - Alias name: enterpriseregistration
  - Fully qualified domain name (FQDN) for target host: enterpriseregistration.windows.net
  - Alias name: enterpriseenrollment
  - Fully qualified domain name (FQDN) for target host: enterpriseenrollment-s.manage.microsoft.com

Add a TXT record for SPF to help prevent email spam

Important

You can't have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, email errors, delivery issues, and spam classification issues can all occur. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a single SPF record that includes both sets of values.

To add the SPF TXT record for your domain to help prevent email spam, follow these steps:

If not already open, open DNS Manager as described in Find your DNS records in Windows-based DNS.
In DNS Manager, go to the Action menu and then select Other New Records...
Under Select a resource record type: in the Resource Record Type window, select Text (TXT), and then select Create Record...
In the New Resource Record dialog box, enter the following values for the TXT record required for email:
- Record name: @
- Text: =spf1 include:spf.protection.outlook.com -all
Note
- You might already have other strings in the TXT value for this record (such as strings for marketing email). Leave those strings in place and add this one, placing double-quotes (") around each string to separate them.
- In some versions of Windows Server DNS Manager, the domain might be set up so that when you create a txt record, the home name defaults to the parent domain. In this situation, when adding a TXT record, set the host name to blank (no value) instead of setting it to @ or the domain name.
Select OK.

Add SRV records

To add the two SRV records that are required for Teams, follow these steps:

If not already open, open DNS Manager as described in Find your DNS records in Windows-based DNS.
In DNS Manager, go to the Action menu and then select Other New Records...
Under Select a resource record type: in the Resource Record Type window, select Service Location (SRV), and then select Create Record...
In the New Resource Record dialog box, enter the following values:
- Service: _sip
- Protocol: _tls
- Priority: 100
- Weight: 1
- Port number: 443
- Host offering this service: sipdir.online.lync.com
Select OK.

Support

If you don't find what you're looking for, check the Domains FAQ.

Tip

Some configuration tasks might be complex to perform. For technical support, follow these steps:

Sign in to the Microsoft 365 admin center.
At the bottom right, select Help & Support.
In the Support Assistant pane that opens, enter your question.
Review the results. If you still have questions, select Contact support.

To learn about your options for contacting support, see Get support for Microsoft 365 for business.

Feedback

Was this page helpful?

Last updated on 2026-06-16